Skills
skills/runcomfy-com/skills/ai-image-generation/Gen Agent Trust Hub

ai-image-generation

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill recommends the installation of the @runcomfy/cli package from the official NPM registry and fetches generated assets from the vendor's own domains (*.runcomfy.net and *.runcomfy.com). These are official resources provided by the skill's author and are categorized as safe.
  • [COMMAND_EXECUTION]: The skill utilizes the runcomfy CLI to perform image generation tasks. It correctly instructs the agent to pass user prompts as part of a JSON-encoded string in the --input flag, which prevents shell injection by ensuring the content is not expanded by the shell.
  • [PROMPT_INJECTION]: The skill includes an indirect prompt injection surface (Category 8) as it processes untrusted user prompts and external image URLs that can influence model output.
  • Ingestion points: User-provided strings and reference image URLs passed to the runcomfy run command in SKILL.md.
  • Boundary markers: The skill uses structured JSON objects for the CLI's --input parameter, creating a clear boundary between the executable command and the user-supplied data.
  • Capability inventory: The skill can execute the runcomfy tool and write files to the local disk via the --output-dir parameter.
  • Sanitization: The skill's security documentation explicitly mentions that the CLI transmits JSON bodies directly to the Model API over HTTPS without shell-expanding prompt content.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:48 PM